U.S., China Talks Address Cyber-Weapons, Not Cyber-Spying

Informal discussions between the United States and Chinese think tanks have led to an understanding about cyber-spying, but not solutions.

The United States and China have participated in informal bilateral discussions about restricting the use of online attacks, better crisis communication and mitigating the risk of attacks by third parties. Still, there is one issue notably missing from the dialog: any agreement on limiting cyber-espionage.
Organized by the China Institute of Contemporary International Relations (CICIR) and the Center for Strategic and International Studies, the discussions brought together members of other think tanks as well as government officials to highlight problems the nations continue to have in cyber-space. The groups agreed that restricting the use of attack programs in cyber-space-a.k.a., "cyber-weapons"-and cooperating more fully to secure cyber-space were both in their nations' interests, but acknowledged that there were significant hurdles to working together, said Adam Segal, senior fellow for China studies at the Council on Foreign Relations.

"The fact that the meeting happened and that the Chinese delegation was fairly large all point to the fact that both governments see this as an increasing threat and the Chinese see themselves as increasingly vulnerable," said Segal in an interview Aug. 14. "Everyone realizes that there is no domestic or one-party solution-that it has to be collaborative-and that means cooperating with people who are also your competitors at times."

Attackers based in China have increasingly, and with greater evidence, been linked to attacks on the United States and multi-national companies, as well as government agencies. At the same time, the United States has acknowledged its role in crafting and releasing an attack designed to hobble Iran's nuclear processing capability, according to claims in a book written by a New York Times reporter.
The United States would like China to crack down on citizens who are stealing intellectual property from U.S. firms, while China would like the United States to relinquish some of its control of the Internet and stop militarizing cyber-space, according to a summary of the last meeting between the two nations in June 2012.
Neither nation is likely to give up any ground on these sensitive topics, said Segal, who attended the last meeting in June.

On other topics, there may be more room to work with one another, but implementation will be difficult. One of the greatest concerns is supply-chain security, for example, with both nations concerned that the other may introduce a backdoor into critical-infrastructure or security products. However, there are no easy solutions to the problem.
Another problem, perhaps more tenable, is the lack of communication channels that could be used during a crisis. However, the Chinese have significant domestic barriers to creating an effective communication channel and to allowing international law-enforcement agencies to cooperate, said Segal.
"We are at the point where we understand each other's differences," said Segal. "There are areas of common appreciation of the threats ... but there is a clearly distinct approach to how do you deal with the threats and massive differences between the cyber-security and information security discussions."
China, like Russia, supports the International Code of Conduct for Information Security, a set of doctrines that require nations to cooperate in cyber-space. The United States is unlikely to support the code, because it undermines the nation's dominant position in managing the Internet and would require nations to treat information security, which could include the censorship of free speech, as a cyber-security problem.
Overwrought media reports on cyber-war-not to mention cyber-Armageddon and digital Pearl Harbors-have done little to assuage the Chinese. To the contrary, because of the state of their own media, the Chinese government typically sees such assertions as if they were official statements from the U.S. government, said Segal.
"Information security includes not only the protection of computer, communication and other critical networks that is the primary focus of U.S. officials, but also the threats that the free flow of information can present to domestic stability in closed authoritarian states-hello Twitter and the Arab Spring," Segal wrote in a 2011 analysis of China.